### Secrets Sync SSRF Protection May Block Private Endpoints

As of version 1.17.3, Vault's Secrets Sync includes additional Server-Side Request Forgery (SSRF) protection measures. This security enhancement prevents sync operations to certain IP ranges by introducing a new SSRF-safe HTTP client. The client specifically blocks requests to private IP ranges (such as 10.0.0.0/8), which affects users accessing cloud provider secret stores through private endpoints.

**Impact:**
- Secrets Sync operations to private IP ranges will be blocked
- Affects all destinations when accessed via private endpoints

**Example error message:**

<CodeBlockConfig hideClipboard>

```plaintext
couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8)
```

</CodeBlockConfig>

**Current Workaround:**
1. Remain on Vault version 1.17.2 or earlier if you require Secrets Sync with private endpoints
2. Use public endpoints for your secret store services
